What can a computer recycle program and a little shoulder-surfing get you? For inmates at Ohio’s Marion Correctional Institution, it got them a great deal, enough to build two PCs from the yanked parts and then hide them in the ceiling, use a former employee’s credentials obtained by looking over his shoulder, and then commit “possible identity fraud along with other possible cyber-crimes.”

The Ohio Inspector General’s 50-page report (pdf) includes a big list of fails for the Ohio Department of Rehabilitation and Correction. The report reads like a mini novel of intrigue, weaving lax security as well as players across the prison system and prisoners into the story.

After the computers were found in July 2015, neither the former warden, nor other prison officials, immediately contacted the Ohio State Police or the Ohio Inspector General as policy dictates. The IG’s report said ODRC failed to report suspected illegal activity, failed to follow crime scene protection policy, failed to follow password security policy, failed to supervise inmates and protect information technology resources, and failed to follow State of Ohio asset management policy.

Inmates at the Marion Correctional Institution were working with a non-profit agency to dispose end-of-life computers. A prison employee in charge of the program is believed to have taken about “30 quad core computers” which were supposed to be dismantled to replace PCs at the prison. The weight difference in what came to the prison and what went out was made up by scrapping the prison’s old computers.

Crafty inmates started pilfering PC parts and smuggling them over 1,000 feet away – past guards and metal detectors – up to a training room on the third floor where they built two PCs and hid them in the ceiling. Then they ran wiring to connect to the prison’s network.

The computers were eventually discovered after ODRC IT received a Websense email that a computer exceeded the threshold for daily internet use. The employee notified ODRC’s Chief Information Officer that he had received seven hacking alerts and 59 proxy avoidance alerts in one afternoon for a specific user, a former prison employee. The logged-in user spent three hours trying to circumvent the proxy after being blocked from surfing to “several hacking sites.”

Eventually, the IT department determined the switch and port to which the PCs were connected. After following the cable from the switch, the unauthorized computers were found hidden in the ceiling on two pieces of plywood.

Forensic analysis of the hard drives determined the Department Offender Tracking System (DOTS) was attacked and inmate passes were created. The personal information about a young inmate sentenced for a long stretch was obtained and then used in five credit/debit card applications. Investigators also found a Bloomberg article on tax refund fraud; it described how a criminal “with valid Social Security numbers, dates of birth, bank account information, addresses, and an internet connection can illicitly obtain tax refunds loaded onto prepaid cards.”

One of the five inmates responsible for the hidden computers had sent text messages to his mom so she would go to a specific address to pick up any debit card applications in the mail. He admitted that he had intended to use the debit cards for a tax fraud scheme.

VPNs are not evil; so while I get what the investigators were trying to relay, VPN tools should not be lumped into the malicious tools category. Neither should CCleaner, which investigators said was executed at least 10 times, nor encryption tools. For many, those apps are used to enhance privacy. In fact, some of the software is only malicious if that is the user's intent.

Some of the other “malicious” tools listed by forensic investigators included Kali Linux, Wireshark, an email spamming tool, a hacking tool for man-in-the-middle attacks, password cracking tools and the encryption tool TrueCrypt. It is interesting to note that ODAS described the AdvOr (Advanced Onion Router) Tor Brower as “free software for enabling anonymous communication and is better than TOR for anonymity and speed.”

Ohio Inspector General Randall J. Meyer could not believe the inmates pulled this off, building the PCs without being caught, running cabling and then connecting to the network. He said, “They were able to travel through the institution more than 1,100 feet without being checked by security through several check points, and not a single correction's staff member stopped them from transporting these computers into the administrative portion of the building. It's almost if it's an episode of Hogan's Heroes.”

Although a prison spokesperson said the prison had taken steps and would continue to take steps to make sure nothing like this happens again, the inspector general’s report was sent to the Marion County prosecutor and the Ohio Ethics Commission for review.